Strategies for Federal Agencies to Prevent Data Exfiltration and Mitigate Risks
The Cybersecurity and Infrastructure Security Agency (CISA) made a critical announcement. They publicly issued Emergency Directive 24–02 in response to a recent and alarming cyber campaign staged by the Russian state-sponsored group — Midnight Blizzard.
This insidious campaign successfully infiltrated Microsoft corporate email accounts, specifically targeting the email correspondence of Federal Civilian Executive Branch (FCEB) agencies. The attackers exfiltrated sensitive information, posing a significant threat to national security.
Perimeter Security Failure in Cloud
Cybercriminals can easily extort valuable authorization credentials through sophisticated techniques. The traditional perimeter-defense security practices, which primarily focus on protecting the outer layer of an organization’s network, fail to detect and mitigate these internal threats effectively. Once inside the perimeter, cybercriminals can move laterally across the network, escalating privileges and exfiltrating valuable data without triggering sufficient alarms.
Federal agencies should implement more advanced and comprehensive cybersecurity strategies, starting with a data-centric approach to protect data throughout its lifecycle.
Encryption is the primary measure organizations choose. It must be implemented wherever the data is, i.e., at rest, in transit, and in use. However, its effectiveness depends on their control over the keys. This means knowing exactly how, by whom, and when their keys are used.
At Fortanix, we prioritize a data-first strategy. Our Fortanix Data Security Manager (DSM) platform, built on confidential computing, provides comprehensive solutions for protecting data while ensuring its availability and integrity.
Learn how the Fortanix platform can empower your federal security teams to protect critical information.
1) Encrypt All Data Across All Environments
Accidental deviations refer to unintended variations in enforcing cryptographic policies when different encryption methods or configurations are applied inconsistently across various environments. Accidental deviations within federal systems often arise due to human error, misconfiguration, and complex system integrations across different states. Policies might not align uniformly across all environments, and integrating age-old legacy systems with newer technologies can cause compatibility issues, leading to unintentional lapses in encryption.
These deviations can introduce potential vulnerabilities, as data protection measures may not be uniformly maintained. By utilizing NIST-recommended algorithms and enforcing cryptographic policies uniformly, the Fortanix DSM platform ensures a consistent application of security standards across all environments.
Built on confidential computing technologies, including Intel SGX, Fortanix ensures that all cryptographic operations occur within a trusted execution environment, keeping data secure even during processing.
2) Manage Keys from Single Control Panel
Federal systems differ primarily due to the diverse missions of various agencies. Each operates within its own domain, leading to distinct IT infrastructures tailored to specific needs. For example, the Department of Defense prioritizes high-security systems for military data, while Health and Human Services focuses on accessible systems for patient records.
These varied systems are managed based on their unique requirements and regulations. Agencies adopt different security protocols, encryption standards, and data management practices. While these approaches ensure optimal support for each agency’s functions, they complicate unified data security across the federal landscape.
One major perk of the Fortanix DSM platform is its centralized key management. No matter where your data resides — on-premise, in the cloud, or hybrid environments — you can manage encryption keys from one streamlined interface. Security teams can create, rotate, and manage keys with just a few clicks, boosting oversight and control. This unified approach helps prevent the chaos and confusion of scattered key storage.
3) Securely Store Keys and Credentials
Fortanix DSM integrates natively with FIPS 140–2 Level 3 (and soon to be FIPS 140–3 Level 3) Hardware Security Modules (HSM) to store encryption keys securely.
FIPS 140–2 Level 3 HSMs are designed to provide a high level of security by enforcing strict access controls and using robust physical and logical security mechanisms. This level of certification ensures that HSMs can withstand both physical tampering and logical attacks, making them highly reliable for protecting cryptographic keys.
FIPS 140–2 Level 3 HSMs enforce multi-factor authentication and role-based access controls, ensuring that only authorized personnel can access and manage cryptographic keys. Also, if other network parts are compromised, the keys remain securely protected within the HSM.
Utilizing FIPS 140–2 Level 3 HSMs enables federal agencies to comply with regulatory requirements and standards, such as those set by NIST.
4) Security for SaaS Solutions
Federal agencies use SaaS applications to enhance efficiency, streamline processes, and enable seamless collaboration. SaaS solutions like Google Workspace, ServiceNow, and Snowflake offer scalable, flexible, and cost-effective alternatives to traditional software, helping agencies quickly adapt to changing needs. SaaS reduces the need for extensive IT support and infrastructure, allowing agencies to focus on their core missions.
However, each SaaS provider may use its own encryption protocols and key management practices, lacking uniformity in data security. Agencies often face scattered encryption keys when using various SaaS applications, complicating management.
Fortanix’s External Key Manager services address these challenges by enabling federal agencies to Bring Your Own Keys (BYOK). BYOK allows organizations to control their encryption keys rather than relying on the SaaS provider’s built-in key management. Since the keys remain under the agency’s control, they can enforce their own security policies, set key rotation schedules, and ensure that only authorized individuals can access or manage the keys. Agencies can maintain full visibility and auditability over their key usage.
5) Achieve Crypto Agility
Crypto agility refers to the capability of a data security system to quickly adapt to and implement new cryptographic algorithms and protocols as they emerge. This flexibility allows organizations to replace weakened or outdated cryptographic algorithms with more robust alternatives without undergoing extensive system overhauls.
Fortanix helps organizations consolidate data security and achieve crypto agility by simplifying the discovery, assessment, and remediation of their current encryption key posture. First, Fortanix’s unified platform provides a central dashboard that allows security teams to locate and audit all encryption keys across the enterprise.
Secondly, Fortanix offers advanced analytics and reporting tools to assess the strength and compliance of existing encryption keys. These tools can quickly identify weak or vulnerable keys, as well as highlight areas where security policies need to be enforced or updated.
Fortanix automates remediation with straightforward mechanisms for key rotation, policy enforcement, and compliance. These features ensure encryption keys remain robust and current without extensive manual oversight.
Most importantly, our enterprise-grade platform enables the agile adoption of new algorithms. The latest NSA-recommended quantum-resistant algorithms are already supported, and Fortanix is quick to implement new NIST quantum-safe cryptography standards as they become available.
Conclusion
Federal agencies manage diverse sensitive data, including national security information, classified intelligence, personally identifiable information (PII), healthcare records, and financial data. Each category presents unique security challenges.
National security data and classified intelligence demand stringent protection to prevent espionage and unauthorized access. Meanwhile, PII and healthcare records require robust safeguards to comply with privacy regulations such as HIPAA. Financial information must be secured under the Gramm-Leach-Bliley Act (GLBA).
Given the pervasive modern threats, agencies must proactively assess which systems and processes are most vulnerable, ensuring a smooth and secure transition. Fortanix DSM supports this objective by integrating advanced encryption, key management, and Zero Trust principles.
Additionally, it incorporates BYOK (Bring Your Own Key), HSMs (Hardware Security Modules), Multi-Factor Authentication (MFA), Role-Based Access Control (RBAC), and Quorum Approval policies. These measures collectively help maintain the highest levels of data security.
